Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Verify that you successfully added the data source

Confirm that the data source you added is successfully parsing events.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click the name of the data source that you added.
  3. Review the Data Source Details.
  4. Click the parsed events icon (The parsed events icon.) and review the 10 sample events. Make sure that each event lists event views.

Some data sources, such as DHCP, DNS, AD, or HTTP do not provide a destination device. If you ingest one of these data types and see validation error messages, you can ignore these messages once you examine the raw event and validate the absence of the destination device in the raw event.

Run the script after adding data source

You can run the following script after adding a data source to verify that the system is up and running. Additional exceptions noted by the script indicate custom configuration steps or other issues that need remediation.

/opt/caspida/bin/utils/uba_health_check.sh
Last modified on 12 July, 2023
Non-CIM complaint mapping for cloud storage data   Monitor the quality of data sent from the Splunk platform

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters